[c-nsp] 2821 NAT Limitations

Rodney Dunn rodunn at cisco.com
Thu Oct 14 05:47:13 EDT 2010


In the spirit of technical accuracy.

NAT is a more complex feature than it appears on the surface. In regards 
to the "process switch" portion. NAT today for normal http traffic is 
CEF switched, even the SYN's, along with the payload data.
The FIN/RST's are punted to tear the translations down.

As for the 2821 specifically, NAT is no different there (assuming same 
code version) than it is on a 72xx for example. Only difference is CPU 
power and memory (depending on the difference).

Therefore, scale is a directly related to those two factors on the 
platform. And port ranges if you do overload.

The main factors to watch from a scale are:

CPU
Memory
NAT pool allocation
Input Queue drops on interfaces (set them to the max)

Good NAT'ing. :)

For an IOS device the ASR1k is the leader today. It does ALL NAT'ing 
(even ALG) in the *hardware* forwarding path.

Rodney



On 10/13/10 5:40 PM, Ge Moua wrote:
> forgot to mention that I'm fairly certain that many NAT sessions that
> you require will overun the 2800 which process switch that function (no
> good).
>
> --
> Regards,
> Ge Moua
> Network Design Engineer
>
> University of Minnesota | OIT - NTS
> --
>
>
> On 10/13/10 4:38 PM, Ge Moua wrote:
>> we do upwards of 75,000 NAT sessions on an asa-5550 with no problems;
>> bad thing here for you is that you'll also need a router platform to
>> do the route maps
>>
>> not sure if you can split the functions, but if so then this might
>> work for you.
>>
>> --
>> Regards,
>> Ge Moua
>> Network Design Engineer
>>
>> University of Minnesota | OIT - NTS
>> --
>>
>>
>> On 10/13/10 4:11 PM, Dan Letkeman wrote:
>>> Hi,
>>>
>>> Wondering if anyone has some experience with the NAT limitations on a
>>> 2821 router? I have about 1500 users, which about half of them are on
>>> the internet at one time, but we have a proxy web filter appliance
>>> that all of the clients connect to that does a website lookup, and
>>> check before it lets the client access the page, so it creates a
>>> separate entry for every page requested. This doubles the NAT entries
>>> in the router.
>>>
>>> Would 40,000 - 60,000 NAT translation entries be too much for a 2821?
>>> It's not doing much else except NAT and a couple of route-maps.
>>>
>>> If so would device would be recommended that could handle this amount
>>> of translations?
>>>
>>> Thanks,
>>> Dan.
>>> _______________________________________________
>>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list